Hacked Bank of India Site Labeled Trustworthy

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

How common a problem?

[mordors9]

That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.

Re:How common a problem?

[Ash+Vince]

That's the problem, how many consumers are sophisticated enough to even ask the right questions. On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.

Banks: Please Stop Using ActiveX !

[Gopal.V]

There are very few instances when I actually need to rdesktop in and use a Windows machine.

One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

Re:Banks: Please Stop Using ActiveX !

The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

Re:Banks: Please Stop Using ActiveX !

[ScrewMaster]

For someone who uses FF, noscript and occasional peeks at firebug,

Don't forget Privoxy.

But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.

Re:Whoopdeedoo

[garcia]

As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.

Re:iframes...

[ubernostrum]

They're useful for doing in-place file uploads without refreshing the page (e.g., in a web app like Gmail where you'd want to add an attachment to a message), because that's the only way to do that.

Anti-phishing tools shouldn't be used to determine

[Glowing+Fish]

Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.

Re:now if it were me...

[mlts]

Banks, especially in the US, need a system like above for authentication, where its not just a single username and password protecting someone's accounts from total destruction. Some banks now use a system where you type in your username, it asks one of several personal questions, then your password, but that doesn't protect much against a keylogger, as an attacker can keep trying the questions until he/she finds the one that gets presented with an answer in the keysniffer's output.

PayPal, eBay, and Verisign offer a rebranded Vasco keyfob that one can use. Enter in username, tab to the password field, enter in your password, then append the six digit number from the Digipass Go 3 (the OEM name), and you are in. Though this is not as well engineered as a SecurID system, it still forces a would-be thief to have physical custody of the keyfob and the password to the account.

Some European banks use a system similar to the age-old one time password system found in BSD (S/Key or OPIE). You obtain a list of one time passwords on a piece of paper that you scratch off in the mail, and every time you log in, you scratch off the next one on the list. This can be attacked (there are some targeted phishing attacks to try to get users to type in multiple lines off the OTP paper), but it keeps a compromised user PC from becoming an entry point for an attacker.

Lastly, there are always Aladdin eTokens that store a private client certificate. This is one of the more secure ways, because there are zero passwords used. The server asks the client (any web browser pretty much) for a certificate similar to how a SSL enabled web browser asks the web server for its cert, the web browser passes the signing request to the eToken, the eToken signs it on the physical card (the private key never leaves the eToken), and the server checks the validated cert against the user list and lets the user in. For academic places (universities), this is one of the absolute best ways to do things.

All and all, probably the best solution would likely be a hybrid system, similar to an eToken NG-OTP keyfob, that allows a user to plug the token in and use it online with client certificates, or offline, typing the six digit number off the LCD screen.

Disclaimer: I don't work for Aladdin, RSA, or Vasco, but like their products.